---
layout: docs
page_title: 'Commands: ACL Token Create'
sidebar_title: create
---

# Consul ACL Token Create

Command: `consul acl token create`

This command creates new tokens. When creating a new token, policies may be linked using
either the `-policy-id` or the `-policy-name` options. When specifying policies by IDs you
may use a unique prefix of the UUID as a shortcut for specifying the entire UUID.

## Usage

Usage: `consul acl token create [options] [args]`

#### API Options

@include 'http_api_options_client.mdx'

@include 'http_api_options_server.mdx'

#### Command Options

- `-accessor=<string>` - Create the token with this Accessor ID. It must be a UUID. If not
  specified one will be auto-generated

- `-description=<string>` - A description of the token.

- `-expires-ttl=<duration>` - Duration of time this token should be valid for.

- `-local` - Create this as a datacenter local token.

- `-meta` - Indicates that token metadata such as the content hash and raft indices should be shown
  for each entry.

- `-policy-id=<value>` - ID of a policy to use for this token. May be specified multiple times.

- `-policy-name=<value>` - Name of a policy to use for this token. May be specified multiple times.

- `-role-id=<value>` - ID of a role to use for this token. May be specified multiple times.

- `-role-name=<value>` - Name of a role to use for this token. May be specified multiple times.

- `-service-identity=<value>` - Name of a service identity to use for this
  token. May be specified multiple times. Format is the `SERVICENAME` or
  `SERVICENAME:DATACENTER1,DATACENTER2,...`

- `-secret=<string>` - Create the token with this Secret ID. It must be a UUID. If not
  specified one will be auto-generated.
  **Note**: The SecretID is used to authorize operations against Consul and should
  be generated from an appropriate cryptographic source.

- `-format={pretty|json}` - Command output format. The default value is `pretty`.

#### Enterprise Options

@include 'http_api_namespace_options.mdx'

## Examples

Create a new token:

```shell-session
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  Read Nodes and Services
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
```

Create a new local token:

```shell-session
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
AccessorID:   4fdf0ec8-d251-3865-079c-7247c974fc50
SecretID:     02143514-abf2-6c23-0aa1-ec2107e68f6b
Description:  Read Nodes and Services
Local:        true
Create Time:  2018-10-22 15:34:19.330265 -0400 EDT
Policies:
   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
```

Create a new token and link with policies by name:

```shell-session
$ consul acl token create -description "Super User" -policy-name global-management
AccessorID:   59f86a9b-d3b6-166c-32a0-be4ab3f94caa
SecretID:     ada7f751-f654-8872-7f93-498e799158b6
Description:  Super User
Local:        false
Create Time:  2018-10-22 15:35:28.787003 -0400 EDT
Policies:
   00000000-0000-0000-0000-000000000001 - global-management
```

Create a new token with one service identity that expires in 15 minutes:

```shell-session
$ consul acl token create -description 'crawler token' -service-identity 'crawler' -expires-ttl '15m'
AccessorID:       0c083aca-6c15-f0cc-c4d9-30578db54cd9
SecretID:         930dafb6-5c08-040b-23fb-a368a95256f9
Description:      crawler token
Local:            false
Create Time:      2019-04-25 16:45:49.337687334 -0500 CDT
Expiration Time:  2019-04-25 17:00:49.337687334 -0500 CDT
Service Identities:
   crawler (Datacenters: all)
```
